👨‍💻
Hacking Notes
  • Hacking Notes
  • 💅One-Liners
  • ⚔️Offensive
    • Exploit Workflow
    • Recon
      • OSINT
      • DNS
        • Domain Discovery
      • Layer 2 Config and Analysis
      • Port Scanning and Discovery
      • Port Attacks
      • Link it all together
    • Payloads
      • MSFVenom
      • Reverse Shells
    • Websites
      • Enumeration
      • Injection/LFI
      • Session Management
      • Brute Forcing
      • JavaScript & XSS
      • SSRF
      • XXE
      • PHP
    • Password Attacks
      • Brute Forcing
      • Mimikatz
      • Password Cracking
      • Hash Extraction
      • Wordlist Generation
    • Databases
      • SQL
      • Mongodb
    • Microsoft Windows Exploits
      • Enumeration
      • Powershell
      • Cmd
      • Privilege Escalation
      • Active Directory
      • Bloodhound
    • Social Engineering
    • Netcat & Socat
    • File Transfers
    • Metasploit
      • Writing Modules
    • PS Empire
    • Priv Escalation
    • Post Exploitation
    • Pivoting
    • Certs and Secrets
    • NGROK
    • Misc.
  • 🛡️Defensive
    • Defensive Notes
    • Windows Forensics
      • Program Execution Artifacts
      • ASEP Locations
      • Event Logs
    • Linux Forensics
    • Network Forensics
      • tshark
      • Wireshark Filters
    • Memory Forensics
    • Stego
    • Malware Analysis
    • Volatility
  • 🌩️Cloud
    • Scope and Shared Responsibility
    • AWS CLI
    • Azure CLI
    • SaaS Attacks
    • PaaS
  • ⌨️Programming
    • Programming Notes
    • Examples and Quick Scripts
    • PowerShell
    • Pwn
      • Windows Pwn
    • Python
      • Basic Python
      • Modules
      • Working with Files
      • Networking
      • Attack Related
      • Scapy
        • Using Scapy
        • Reading PCAP
    • C
      • Code Examples
      • GDB
    • PHP
Powered by GitBook
On this page
  • Third-Party Tools
  • Dig
  • nslookup
  • DNSrecon
  • DNS Brute Forcing

Was this helpful?

  1. Offensive
  2. Recon

DNS

DNS analysis

PreviousOSINTNextDomain Discovery

Last updated 2 years ago

Was this helpful?

Third-Party Tools

Use these first, as it is completely passive and uses Internet infrastructure instead of your own machine.

  • DNS Dumpster []

  • Shodan []

  • Censys []

Dig

Powerful linux based tool used to gather and analyze dns records

Gather All Records for a Domain

This command uses 192.168.1.1 to gather information

dig @192.168.1.1 sec542.org -t any
dig @192.168.1.1 sec560.org +norecursive    # Turns off recursion
dig @192.168.1.1 sec560.org +recursive      # Turns on recursion

Simplified PTR Lookups

Using the -x flag is the same as dig 23.1.168.192.in-addr-arpa PTR

dig -x 192.168.1.23

Attempt Full Zone Transfer

Very unlikely to work, most domains should not allow external zone transfers. More likely to happen from the inside though. Always attempt this anyway!

dig @<network dns server> m4lwhere.org -t axfr
dig @<network dns server> AXFR m4lwhere.org

nslookup

We can use nslookup from a windows host to try and gather information as well.

C:\Users\m4lwhere> nslookup
> server 10.0.0.1
> set type=AXFR
> ls -d goblins.local

DNSrecon

Multi-threaded DNS tool written in python 3

dnsrecon -d m4lwhere.org -n 8.8.8.8

DNS Brute Forcing

Attempt to enumerate DNS hostnames by guessing subdomains.

Gobuster

Uses gobuster for DNS subdomain, is multi-threaded 😎

gobuster dns -d m4lwhere.org -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt

Nmap Script

Lots of switches for this command

nmap --script dns-brute --script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80
⚔️
https://dnsdumpster.com/
https://www.shodan.io/
https://censys.io/